<a name="SecurityManager-UnderstandingtheSecurityManagerinApacheShiro"></a>
Understanding the SecurityManager in Apache Shiro
=================================================

The [SecurityManager](static/current/apidocs/org/apache/shiro/mgt/SecurityManager.html) lies at the heart of Shiro's architecture. While the [Subject](subject.html "Subject") represents security functionality and state for a _single_ application user, the `SecurityManager` performs security operations and manages state for _all_ application users.

Because Shiro's API encourages a `Subject`-centric programming approach, most application developers will rarely, if ever, interact with the `SecurityManager` directly (framework developers however might sometimes find it useful). Even so, it is still important to know how the `SecurityManager` functions, especially when configuring one for an application.

<a name="SecurityManager-Design"></a>
Design
------

As stated previously, the application's `SecurityManager` performs security operations and manages state for _all_ application users. In Shiro's default `SecurityManager` implementations, this includes:

*   Authentication
*   Authorization
*   Session Management
*   Cache Management
*   [Realm](realm.html "Realm") coordination
*   Event propagation
*   "Remember Me" Services
*   Subject creation
*   Logout
and more.

But this is a lot of functionality to try to manage in a single component. And, making these things flexible and customizable would be very difficult if everything were lumped into a single implementation class.

To simplify configuration and enable flexible configuration/pluggability, Shiro's implementations are all highly modular in design - so modular in fact, that the SecurityManager implementation (and its class-hierarchy) does not do much at all. Instead, the `SecurityManager` implementations mostly act as a lightweight 'container' component, delegating almost all behavior to nested/wrapped components.

<a name="SecurityManager-Modularity"></a>
#[[###Modularity]]#

To simplify the `SecurityManager` implementation complexity and allow for pluggable behavior, the Shiro `SecurityManager` implementations delegate almost all logic to a nested set of modular components that actually perform the necessary functionality. While the components actually execute the logic, the `SecurityManager` implementation knows how and when to coordinate the components for the correct behavior.

The nested components that the `SecurityManager` coordinates and delegates to are:

*   Authenticator (`org.apache.shiro.authc.Authenticator`)
*   Authorizer (`org.apache.shiro.authz.Authorizer`)
*   SessionManager (`org.apache.shiro.session.mgt.SessionManager`)
*   [CacheManager](cachemanager.html "CacheManager") (`org.apache.shiro.cache.CacheManager`)
*   RememberMeManager (`org.apache.shiro.mgt.RememberMeManager`)
*   SubjectFactory(`org.apache.shiro.mgt.SubjectFactory`)

The `SecurityManager` implementations and are also JavaBeans compatible, which allows you (or a configuration mechanism) to easily customize the pluggable components via standard JavaBeans accessor/mutator methods (get*/set*). This means the Shiro's architectural modularity can translate into very easy configuration for custom behavior.

#tip('Easy Configuration', 'Because of JavaBeans compatibility, it is very easy to configure the <code>SecurityManager</code> with custom components via any mechanism that supports JavaBeans-style configuration, such as <a href="spring.html" title="Spring">Spring</a>, Guice, JBoss, etc.')

<a name="SecurityManager-ProgrammaticConfiguration"></a>
#[[###Programmatic Configuration]]#

The absolute simplest way to create a SecurityManager and make it available to the application is to create a `org.apache.shiro.mgt.DefaultSecurityManager` and wire it up in code:

``` java
Realm realm = //instantiate or acquire a Realm instance.  We'll discuss Realms later. 
SecurityManager securityManager = new DefaultSecurityManager(realm);
//Make the SecurityManager instance available to the entire application: 
SecurityUtils.setSecurityManager(securityManager);
```

Surprisingly, after only 3 lines of code, you now have a fully functional Shiro environment suitable for most applications. How easy was that!?

You could additionally call any of the `SecurityManager` instance's setter methods with custom implementations of the nested components listed above to fully customize its behavior.

But, as simple as programmatic customization is, these 3 lines of code do not represent the ideal configuration for most real world applications. There are a few reasons why programmatic configuration may not be suitable for your application:

1.  It requires you to know about and instantiate a direct implementation. It would be nicer if you didn't have to know about concrete implementations and where to find them.
2.  The `SecurityUtils.setSecurityManager` method call makes the instantiated `SecurityManager` instance a VM static singleton, which, while fine for many applications, would cause problems if more than one Shiro-enabled application was running on the same JVM. It could be better if the instance was an application singleton, but not a static memory reference.
3.  It requires you to recompile your application every time you want to make a Shiro configuration change.

Most applications instead benefit from text-based configuration that could be modified independently of source code and even make things easier to understand for those not intimately familiar with Shiro's APIs.

<a name="SecurityManager-TextConfiguration"></a>
#[[###Text Configuration]]#

Shiro provides a simple INI-based [configuration](configuration.html "Configuration") that can be used out of the box, but any other JavaBeans-compatible mechanism can be used as well. For example, Shiro has excellent [Spring support](spring.html "Spring") too. Other similar frameworks (Guice, JBoss, etc) could also be used.

#lendAHandDoc()

<input type="hidden" id="ghEditPage" value="securitymanager.md.vtl"></input>
